You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@zeppelin.apache.org by Srikanth G N <sr...@sentienz.com> on 2017/12/14 08:50:55 UTC

ShiroFilter does not kick for urls not starting with /api

I am trying to enable Oauth on Zeppelin using shiro - buji-pac4j, Oauth is
working, but shiroFilter works only urls like http://myhomelink/api but not
for http://myhomelink,  so i modified /api* to /*, it started working,
basically this is the original code in zeppelinServer.java

    if (!StringUtils.isBlank(shiroIniPath)) {
      webapp.setInitParameter("shiroConfigLocations", new
File(shiroIniPath).toURI().toString());
      SecurityUtils.initSecurityManager(shiroIniPath);
      webapp.addFilter(ShiroFilter.class, "/api/*",
EnumSet.allOf(DispatcherType.class));
      webapp.addEventListener(new EnvironmentLoaderListener());
    }

Shiro URLs is as below
[urls]
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by
urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
/api/version = anon
/callback = callbackFilter
/api/login/logout = logoutFilter
/** = formClientSecurityFilter 
/** = oidcSecurityFilter

Request the experts to help me udnerstand how to ensure shiroFilter is
getting applied to all the URLS.
What is the necesssity of keeping it /api* instead of /*

Regs
Srikanth G N




-----
Srikanth G N
Sentienz
--
Sent from: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/